(Reuters) — German fintech company N26, which made its name mocking traditional banks, has found itself on the receiving end of criticism after a security researcher proved its smartphone apps exposed users to potential account hijacking.
N26, previously known as Number26, has expanded rapidly since it launched in early 2015 as a smartphone-only bank with no local branches, with the backing of major global investors including Silicon Valley’s Peter Thiel.
Vincent Haupert, a research fellow and PhD student in the computer science department of the University of Erlangen-Nuernberg, told the Chaos Communications Congress in Hamburg how he and two colleagues found N26 security defenses riddled with holes that could have been used to defraud thousands of users.
“They say you can open a bank account in just eight minutes,” Haupert said. “As it turns out, you can lose it even faster.”
In a statement, N26 thanked Haupert for alerting the company to “a theoretical security vulnerability” and advising it on fixes, which N26 said it completed this month.
N26 offers a range of online banking and other financial services to 200,000 customers in 17 European countries through a banking license granted earlier this year by German financial regulator Bafin.
N26 executives have been the most outspoken among new fintech players in arguing traditional banks are failing to serve customers more directly by relying on antiquated local branch relationships instead of modern, phone-based services.
“I don’t see banks at all as my competitors. They just can’t move fast enough,” N26 Chief Executive Valentin Stalf told Reuters last year.
Haupert told the Chaos conference, Europe’s biggest annual gathering of hackers, how his team had found numerous ways to attack N26 banking apps to hijack individual customer accounts.
“With such a strategy, fintechs squander the trust that banks established over years,” he said.
For example, Haupert said he compared data from a leak of 68 million account credentials from online file sharing company Dropbox with information on N26 users he was able to request from the company’s own software feed to identify 33,000 N26 user credentials – without being thwarted by N26 anti-fraud systems.
From there, he said it would have been simple to send a phishing email to these N26 customers that could potentially have allowed him to break into their accounts.
“Don’t worry, we didn’t do this,” Haupert said. “My professor had legal concerns.”
Instead, Haupert disclosed his research findings to N26 on Sept. 25.
In response, N26 said in a statement it had made customer accounts more secure by reducing and encrypting data transfers, by blocking brute-force attacks in which hackers can quickly guess user credentials, and fixing voice-recognition security weaknesses in its app for the newest Apple mobile devices.
“At no time during these scenarios was personal data of our customers available to third parties,” the statement said. “No N26 customer was impacted by the demonstrated vulnerabilities.”
It added: “We have fully addressed and closed all vulnerabilities promptly and completely” and quoted Haupert as saying earlier this month that all vulnerabilities he had uncovered appeared to have been fixed.
Still, Haupert said regulators needed to take a closer look at the security of banks. “It was Bafin that granted a banking license to N26 only six months ago,” he said, adding that security weaknesses at that time were rampant.
A spokesman for the financial regulator declined to comment.
(Reporting by Eric Auchard; Editing by Mark Potter)